Fake web sites are frequently used to trick users into revealing confidential information. Site “seals” with a logo which the user associates with security help give users a sense of comfort when visiting a legitimate web site. This is analogous to a Better Business Bureau sticker in a physical storefront. However, on the web it is trivial for a fake site to copy such a seal. Trying to detect sites with such counterfeit seals and to then take down these sites is a slow process. Another alternative, having seals which require a user to click on them to verify authenticity expects users to be far more proactive and careful then they have proven to be. A somewhat more secure alternative is to install a toolbar that examines each page the user downloads and checks whether the source is a known malicious site. The disadvantage of this approach is that the user has to download and install a toolbar. Another approach that has proven not to work is the use of the SSL infrastructure wherein users are expected to navigate a maze of locks, green bars and frequent cryptic error messages, in order to ascertain the legitimacy of a site. When combined with the rise of man in the middle (MITM) and man in the browser (MITB) attacks, it is safe to say that current site authentication techniques on the web simply do not work.
The converse problem of user authentication to a web site is even more challenging. Most techniques for authentication like passwords and one time passwords are considered vulnerable to MITM and MITB attacks. Exacerbating the situation is the notion of single sign on or federation; namely the notion that one site will vouch for the authenticity of the user to several other sites. A single key to open several doors is certainly convenient, but if that one key is weak, then the risk has just been amplified.
The innovation described herein seeks to use a single approach to greatly increase the security of both site and user authentication.